Cisco CyberOps Associate 200-201 Questions & Answers

• Question 311:

  A user received a targeted spear-phishing email and identified it as suspicious before opening the content. To which category of the Cyber Kill Chain model does to this type of event belong?

  A. weaponization

  B. delivery

  C. exploitation

  D. reconnaissance

  Correct Answer: B

• Question 312:

  How does an attack surface differ from an attack vector?

  A. An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.

  B. An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

  C. An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.

  D. An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

  Correct Answer: B

• Question 313:

  An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.

  

  Which obfuscation technique is the attacker using?

  A. Base64 encoding

  B. TLS encryption

  C. SHA-256 hashing

  D. ROT13 encryption

  Correct Answer: B

  ROT13 is considered weak encryption and is not used with TLS (HTTPS:443). Source: https://en.wikipedia.org/wiki/ROT13

• Question 314:

  Which technology on a host is used to isolate a running application from other applications?

  A. sandbox

  B. application allow list

  C. application block list

  D. host-based firewall

  Correct Answer: A

  Reference: https://searchsecurity.techtarget.com/definition/sandbox#:~:text=Sandboxes%20can%20be%20used%20to,be%20run%20inside%20a%20sandbox

• Question 315:

  An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?

  A. ransomware communicating after infection

  B. users downloading copyrighted content

  C. data exfiltration

  D. user circumvention of the firewall

  Correct Answer: D

• Question 316:

  A company is using several network applications that require high availability and responsiveness, such that milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze the network and identify ways to improve traffic movement to minimize delays. Which information must the engineer obtain for this analysis?

  A. total throughput on the interface of the router and NetFlow records

  B. output of routing protocol authentication failures and ports used

  C. running processes on the applications and their total network usage

  D. deep packet captures of each application flow and duration

  Correct Answer: C

• Question 317:

  Which attack method intercepts traffic on a switched network?

  A. denial of service

  B. ARP cache poisoning

  C. DHCP snooping

  D. command and control

  Correct Answer: B

  An ARP-based MITM attack is achieved when an attacker poisons the ARP cache of two devices with the MAC address of the attacker's network interface card (NIC). Once the ARP caches have been successfully poisoned, each victim device sends all its packets to the attacker when communicating to the other device and puts the attacker in the middle of the communications path between the two victim devices. It allows an attacker to easily monitor all communication between victim devices. The intent is to intercept and view the information being passed between the two victim devices and potentially introduce sessions and traffic between the two victim devices

• Question 318:

  Refer to the exhibit.

  

  An analyst was given a PCAP file, which is associated with a recent intrusion event in the company FTP server Which display filters should the analyst use to filter the FTP traffic?

  A. dstport == FTP

  B. tcp.port==21

  C. tcpport = FTP

  D. dstport = 21

  Correct Answer: B

• Question 319:

  An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?

  A. data from a CD copied using Mac-based system

  B. data from a CD copied using Linux system

  C. data from a DVD copied using Windows system

  D. data from a CD copied using Windows

  Correct Answer: B

  CDfs is a virtual file system for Unix-like operating systems; it provides access to data and audio tracks on Compact Discs. When the CDfs driver mounts a Compact Disc, it represents each track as a file. This is consistent with the Unix convention "everything is a file". Source: https://en.wikipedia.org/wiki/CDfs

• Question 320:

  Refer to the exhibit.

  

  What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?

  A. insert TCP subdissectors

  B. extract a file from a packet capture

  C. disable TCP streams

  D. unfragment TCP

  Correct Answer: D